DriftWatch — Agent Identity Drift Monitor
Security checks across malware telemetry and agentic risk
Overview
DriftWatch is a coherent git-history audit tool, but it can read sensitive agent/user memory files, optionally send diff snippets to Claude, and be scheduled to run repeatedly.
This skill appears safe to use for its stated audit purpose. Before installing, decide whether you want LLM mode to send identity/user/memory-file diffs to Claude; use `--no-llm` for local-only checks, and enable cron or heartbeat scheduling only deliberately.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Reports may reveal private user or agent-memory details from the workspace.
The skill intentionally tracks files that may contain personal user context and persistent agent memory, so generated reports or LLM prompts may include sensitive context.
- `USER.md` — what agents know about their human - `agents/*/MEMORY-INDEX.md` — per-agent active context
Run it only in trusted workspaces, review generated reports before sharing them, and avoid including highly sensitive data in tracked memory files.
Diff snippets from identity, user, tools, or memory files may be processed by the configured Claude/Anthropic account.
LLM mode sends the constructed prompt, including diff snippets, through the local Claude CLI to an external model provider. This is disclosed and purpose-aligned, but it crosses a data boundary.
result = subprocess.run(
["claude", "--print", "--model", "claude-haiku-4-5", prompt],Use `--no-llm` for private workspaces or when you do not want file diffs sent to an external LLM provider.
LLM mode may use the user's Anthropic account, quota, and provider-side data handling policies.
The optional LLM path uses the user's Anthropic/Claude credentials, although the registry metadata declares no primary credential or required environment variable.
# With LLM semantic analysis (requires ANTHROPIC_API_KEY) python3 skills/driftwatch/driftwatch.py --days 30
Only enable LLM mode if you are comfortable using that account for these diffs; otherwise run with `--no-llm`.
The LLM report could understate or misclassify a drift event if the audited text is adversarial.
Raw git diff text from the files being audited is embedded into the LLM prompt. If a changed identity or memory file contains prompt-like instructions, it could influence the model's classification.
Diff snippet:
{diff_snippet}Treat LLM analysis as advisory, review the raw diffs for important changes, and prefer stronger prompt isolation if extending the tool.
Running the skill may create or update local report files even though it should not modify the audited identity files.
The read-only claim is imprecise because the skill does create a report file. The write is scoped and disclosed, but users should understand that it modifies the skill directory by adding output.
Writes a markdown report to the skill directory. ... **Read-only. Does not modify any files.**
Expect report files to be written locally and clean them up if they contain sensitive content.
If enabled, the skill may run periodically and, unless configured otherwise, may use LLM analysis on new diffs.
The README provides a user-directed cron setup for recurring scans. This is not hidden persistence, but it is a persistent scheduled execution mode.
openclaw cron add "0 9 * * 1" "python3 /Users/michaelmaciver/.openclaw/workspace/nightly/2026-03-06-hail-mary-driftwatch/driftwatch.py --cron --days 7"
Add cron/heartbeat scheduling only if you want recurring scans; consider adding `--no-llm` for privacy-sensitive scheduled checks.